AutoGPT Vulnerable to OS Command Injection Due to Flaw in Shell Command Validation Function
CVE-2024-1881

9.8CRITICAL

Key Information:

Vendor: Significant-gravitas
Status: Significant-gravitas/autogpt
Vendor: CVE Published:; 6 June 2024

What is CVE-2024-1881?

AutoGPT, developed by Significant Gravitas, has a security vulnerability that enables OS command injection due to the application's inadequate validation of shell commands. This flaw resides in versions from v0.5.0 up to but not including v5.1.0. The root of the issue is found in the command validation mechanism, which only reviews the first word of the shell command against an incomplete allowlist. As a result, attackers can exploit this gap by constructing commands that circumvent these restrictions, potentially leading to the execution of arbitrary commands on the operating system level. Such a capability poses considerable risks to system integrity and security, making it imperative for users to address this vulnerability promptly to safeguard their environments.

Affected Version(s)

significant-gravitas/autogpt < 5.1.0

References

https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978...

https://github.com/significant-gravitas/autogpt/commit/26...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Feb 26, 2024

Significant-gravitas

What is CVE-2024-1881?

Affected Version(s)

References

CVSS V3.1

Timeline